Secure Programming Lab 3: Solutions
|
|
- Robert Riley
- 6 years ago
- Views:
Transcription
1 Secure Programming Lab 3: Solutions Rui Li, Arthur Chan and David Aspinall 14th March Metadata and privacy Checkpoint 1. Where did the metadata come from? Is any of the data concerning from a privacy perspective? Mostly from the image and the camera app, but also some from the connection to the server. Much could be seen as concerning: the make and model of the camera could be used to identify users if only one has that device. The GPS coordinates are obviously concerning. The base64 encoded username and IP address are worrying on a site that is essentially pseudo-anonymous. The user-agent gives quite precise Checkpoint 2. Pick a bit of metadata and describe how it could be used to attack, or deanonymise a user. Image Model: if only one person is using that device in your vicinity they re probably the user. Connecting-IP and User-Agent: gives you a target to attack and a hint at what software they may be running. Date Time and GPS: this person must be taking Secure Programming! Task: Some of the metadata has come from the EXIF tags embedded in the image. Modify the app to strip the EXIF tags. Have a look at android.media.exifinterface.setattribute(). Checkpoint 3. How accurate is the data? Where do the coordinates say the pictures were taken? Not very. The app is set up to use the last known coarse location. This could change with time however. You ll need to convert to decimal degrees and make the longitude negative since we re west of Greenwich. You can then plot them on Google Maps. I usually turn up on Dalrymple Crescent, about a mile from the Informatics Forum where the picture was taken. 2. Transport Security Checkpoint 4. Describe the size and format of the key. What is the certificate s chain of trust? For what sites is the key valid? It s an SSL certificate signed by a 2048 bit RSA key on a SHA256 Hash. The chain of trust goes: DST Root CA X3 -> Let s Encrypt Authority X3 -> infr11098.space The certificate is only valid for infr11098.space (the Common Name). Checkpoint 5. Many browsers have the certificate authority s certificates built in. In Firefox they can be found in the Certificates tab under Advanced in about:preferences. Find the CA certificates used to sign infr11098.space. 1
2 Essentially the certificates identified in checkpoint 3. Task: Modify the app to use the HTTPS protocol if the server address requires it. If an error occurs you should stop and report the message to the user. Essentially just switch the HttpURLConnection for an HttpsURLConnection. Some switching based on the url.getprotocol would be nice. Checkpoint 6. Does the connection still work? If not why not? Nope. The certificate is not valid for the ip address, it only valid for the domain name infr11908.space. That is not the domain embedded in the certificate, even though they both point to the same server. 3. Pinned Certificates Checkpoint 7. Think about the two attacks, and the work required for an attacker. What certificates would the attacker need for their deception to work with HTTPS? How might the user notice they were being attacked? Simple Approach: relies on user not spotting the typo. The attacker would need a certificate for their own domain, which should be easily available. Some browsers may report that the domain is probably not the one you intended to visit. MITM: relies on you tricking the user into installing your fake certificate, or getting a CA to issue you with a certificate (which they should not do). Users may notice the certificate is different if they are weirdly observant. DigiNotar were caught issuing bad certificates for google.com in The National Informatics Center of India and the Indian Controller of Certifying Authorities were caught in Task: Implement certificate pinning for the app and the server. Moxie Marlinspike (Ex-head of security at Twitter, and Open Whisper Systems founder) has written a library to do this. The code is freely available and is worth reading for a guide to doing it correctly
3 Android Pinning Source Code PinningTrustManager.java/ / Copyright (C) Moxie Marlinspike This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see < / package org.thoughtcrime.ssl.pinning; import android.util.log; import java.security.keystoreexception; import java.security.messagedigest; import java.security.nosuchalgorithmexception; import java.security.cert.certificateexception; import java.security.cert.x509certificate; import java.util.arrays; import java.util.collections; import java.util.hashset; import java.util.linkedlist; import java.util.list; import java.util.set; import javax.net.ssl.trustmanager; import javax.net.ssl.trustmanagerfactory; import javax.net.ssl.x509trustmanager; / A TrustManager implementation that enforces Certificate "pins." <p> PinningTrustManager is layered on top of the system's default TrustManager, such that the system continues to validate CA signatures for SSL connections as usual. Additionally, however, PinningTrustManager will enforce certificate constraints on the validated certificate chain. Specifically, it will ensure that one of an arbitrary number of specified SubjectPublicKeyInfos appears somewhere in the valid certificate chain. </p> <p> 3
4 To use: <pre> TrustManager[] trustmanagers = new TrustManager[1]; trustmanagers[0] = new PinningTrustManager(SystemKeyStore.getInstance(), new String[] {"f30012bbc18c231ac1a44b788e410ce ); SSLContext sslcontext = SSLContext.getInstance("TLS"); sslcontext.init(null, trustmanagers, null); HttpsURLConnection urlconnection = (HttpsURLConnection)new URL(" urlconnection.setsslsocketfactory(sslcontext.getsocketfactory()); InputStream in = urlconnection.getinputstream(); </pre> Moxie Marlinspike / public class PinningTrustManager implements X509TrustManager { private final TrustManager[] systemtrustmanagers; private final SystemKeyStore systemkeystore; private final long enforceuntiltimestampmillis; private final List<byte[]> pins = new LinkedList<byte[]>(); private final Set<X509Certificate> cache = Collections.synchronizedSet(new HashSet<X509Certificate public PinningTrustManager(SystemKeyStore keystore, String[] pins, long enforceuntiltimestampmilli / Constructs a PinningTrustManager with a set of valid keystore A SystemKeyStore that validation will be based pins An array of encoded pins to match a seen certificate chain against. A pin is a hex-encoded hash of a X.509 certificate's SubjectPublicKeyInfo. A pin can be generated using the provided pin.py script: python./tools/pin.py enforceuntiltimestampmillis A timestamp (in milliseconds) when pins will stop being enforced. Normal non-pinned certificate validation will continue. Set this to some period after your build date, or to 0 to enforce pins forever. / this.systemtrustmanagers = initializesystemtrustmanagers(keystore); this.systemkeystore = keystore; this.enforceuntiltimestampmillis = enforceuntiltimestampmillis; for (String pin : pins) { this.pins.add(hexstringtobytearray(pin)); 4
5 private TrustManager[] initializesystemtrustmanagers(systemkeystore keystore) { try { final TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509"); tmf.init(keystore.truststore); return tmf.gettrustmanagers(); catch (NoSuchAlgorithmException nsae) { throw new AssertionError(nsae); catch (KeyStoreException e) { throw new AssertionError(e); private boolean isvalidpin(x509certificate certificate) throws CertificateException { try { final MessageDigest digest = MessageDigest.getInstance("SHA1"); final byte[] spki = certificate.getpublickey().getencoded(); final byte[] pin = digest.digest(spki); for (byte[] validpin : this.pins) { if (Arrays.equals(validPin, pin)) { return true; return false; catch (NoSuchAlgorithmException nsae) { throw new CertificateException(nsae); private void checksystemtrust(x509certificate[] chain, String authtype) throws CertificateException { for (TrustManager systemtrustmanager : systemtrustmanagers) { ((X509TrustManager) systemtrustmanager).checkservertrusted(chain, authtype); private void checkpintrust(x509certificate[] chain) throws CertificateException { if (enforceuntiltimestampmillis!= 0 && System.currentTimeMillis() > enforceuntiltimestampmillis) { Log.w("PinningTrustManager", "Certificate pins are stale, falling back to system trust."); return; final X509Certificate[] cleanchain = CertificateChainCleaner.getCleanChain(chain, systemkeystore for (X509Certificate certificate : cleanchain) { if (isvalidpin(certificate)) { 5
6 return; throw new CertificateException("No valid pins found in chain!"); public void checkclienttrusted(x509certificate[] chain, String authtype) throws CertificateException { throw new CertificateException("Client certificates not supported!"); public void checkservertrusted(x509certificate[] chain, String authtype) throws CertificateException { if (cache.contains(chain[0])) { return; // Note: We do this so that we'll never be doing worse than the default // system validation. It's duplicate work, however, and can be factored // out if we make the verification below more complete. checksystemtrust(chain, authtype); checkpintrust(chain); cache.add(chain[0]); public X509Certificate[] getacceptedissuers() { return null; private byte[] hexstringtobytearray(string s) { final int len = s.length(); final byte[] data = new byte[len / 2]; for (int i = 0; i < len; i += 2) { data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i + 1), 16)); return data; public void clearcache() { cache.clear(); PinningSSLSocketFactory / 6
7 Copyright (C) Moxie Marlinspike This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see < / package org.thoughtcrime.ssl.pinning; import android.content.context; import org.apache.http.conn.ssl.sslsocketfactory; import org.apache.http.conn.ssl.x509hostnameverifier; import org.apache.http.params.httpconnectionparams; import org.apache.http.params.httpparams; import javax.net.ssl.sslcontext; import javax.net.ssl.sslsocket; import javax.net.ssl.trustmanager; import java.io.ioexception; import java.net.inetaddress; import java.net.inetsocketaddress; import java.net.socket; import java.security.keymanagementexception; import java.security.keystoreexception; import java.security.nosuchalgorithmexception; import java.security.unrecoverablekeyexception; / A standard Apache SSL Socket Factory that uses an pinning trust manager. <p> To use: <pre> String[] pins = new String[] {"40c5401d6f8cbaf08b00edefb1ee87d005b3b9cd"; SchemeRegistry schemeregistry = new SchemeRegistry(); schemeregistry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80)); schemeregistry.register(new Scheme("https", new PinningSSLSocketFactory(getContext(),pins, 0), 44 HttpParams httpparams = new BasicHttpParams(); ClientConnectionManager connectionmanager = new ThreadSafeClientConnManager(httpParams, schemereg DefaultHttpClient httpclient = new DefaultHttpClient(connectionManager, httpparams); 7
8 HttpResponse response = httpclient.execute(new HttpGet(" </pre> Moxie Marlinspike / public class PinningSSLSocketFactory extends SSLSocketFactory { private final javax.net.ssl.sslsocketfactory pinningsocketfactory; / Constructs a PinningSSLSocketFactory with a set of valid pins An array of encoded pins to match a seen certificate chain against. A pin is a hex-encoded hash of a X.509 certificate's SubjectPublicKeyInfo. A pin can be generated using the provided pin.py script: python./tools/pin.py enforceuntiltimestampmillis A timestamp (in milliseconds) when pins will stop being enforced. Normal non-pinned certificate validation will continue. Set this to some period after your build date, or to 0 to enforce pins forever. / public PinningSSLSocketFactory(Context context, String[] pins, long enforceuntiltimestampmillis) throws UnrecoverableKeyException, KeyManagementException, NoSuchAlgorithmException, KeyStoreException { super(null); final TrustManager[] pinningtrustmanagers = initializepinningtrustmanagers(keystore, pins, enfor final SystemKeyStore keystore = SystemKeyStore.getInstance(context); final SSLContext pinningsslcontext = SSLContext.getInstance(TLS); pinningsslcontext.init(null, pinningtrustmanagers, null); this.pinningsocketfactory = public Socket createsocket() throws IOException { return public Socket connectsocket(final Socket sock, final String host, final int port, final InetAddress localaddress, int localport, final HttpParams params) throws IOException { final SSLSocket sslsock = (SSLSocket) ((sock!= null)? sock : createsocket()); if ((localaddress!= null) (localport > 0)) { if (localport < 0) { 8
9 localport = 0; sslsock.bind(new InetSocketAddress(localAddress, localport)); final int conntimeout = HttpConnectionParams.getConnectionTimeout(params); final int sotimeout = HttpConnectionParams.getSoTimeout(params); final InetSocketAddress remoteaddress = new InetSocketAddress(host, port); sslsock.connect(remoteaddress, conntimeout); sslsock.setsotimeout(sotimeout); try { SSLSocketFactory.STRICT_HOSTNAME_VERIFIER.verify(host, sslsock); catch (IOException iox) { try { sslsock.close(); catch (Exception ignored) { throw iox; return public Socket createsocket(final Socket socket, final String host, int port, final boolean autoclose) throws IOException { if (port == -1) { port = 443; final SSLSocket sslsocket = (SSLSocket) pinningsocketfactory.createsocket(socket, host, port, au SSLSocketFactory.STRICT_HOSTNAME_VERIFIER.verify(host, sslsocket); return public void sethostnameverifier(x509hostnameverifier hostnameverifier) { throw new IllegalArgumentException("Only strict hostname verification (default) " + "is public X509HostnameVerifier gethostnameverifier() { return SSLSocketFactory.STRICT_HOSTNAME_VERIFIER; private TrustManager[] initializepinningtrustmanagers(systemkeystore keystore, 9
10 { String[] pins, long enforceuntiltimestampmillis) final TrustManager[] trustmanagers = new TrustManager[1]; trustmanagers[0] = new PinningTrustManager(keyStore, pins, enforceuntiltimestampmillis); return trustmanagers; 10
A1- Overview of Previous Project
Appendix to the Project Solar Flare: Solar Plant Data Acquisition & Visualization Samuel Caguana Instructor: Dr. Janusz Zalewski CEN 4935 Senior Software Engineering Project Florida Gulf Coast University
More informationIntroduction to Cisco CDS Software APIs
CHAPTER 1 Cisco Content Delivery System (CDS) software provides HyperText Transport Protocol Secure (HTTPS) application program interfaces (APIs) for monitoring and managing the acquisition and distribution
More informationIntroduction to Cisco ECDS Software APIs
CHAPTER 1 This chapter contains the following sections: Overview of HTTPS APIs, page 1-1 Calling the HTTPS APIs, page 1-2 Sample Java Program, page 1-3 API Error Messages, page 1-5 API Tasks, page 1-7
More informationIntroduction to Cisco CDS Software APIs
CHAPTER 1 Cisco Content Delivery System (CDS) software provides HyperText Transport Protocol Secure (HTTPS) application program interfaces (APIs) for monitoring and managing the acquisition and distribution
More informationNetCipher. Prerequisites. Network Security s Got Onions
NetCipher NetCipher is a library from the Guardian Project to improve the privacy and security of HTTP network communications. In particular, it makes it easier for your app to integrate with Orbot, an
More informationSmartphone Application Enabling Global Graph Exploitation and Research
Smartphone Application Enabling Global Graph Exploitation and Research by Mark R. Mittrick ARL-TR-6439 May 2013 Approved for public release; distribution is unlimited. NOTICES Disclaimers The findings
More informationEUCEG: Encryption process
EUROPEAN COMMISSION DIRECTORATE-GENERAL FOR HEALTH AND FOOD SAFETY General Affairs Information systems EUCEG: Encryption process Document Control Information Settings Document Title: Project Title: Document
More informationOverview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.
Overview of SSL/TLS Luke Anderson luke@lukeanderson.com.au 12 th May 2017 University Of Sydney Overview 1. Introduction 1.1 Raw HTTP 1.2 Introducing SSL/TLS 2. Certificates 3. Attacks Introduction Raw
More informationProgramming Project # 2. CS255 Due: Wednesday, 3/9, 11:59pm Pacific Elizabeth Stinson
Programming Project # 2 CS255 Due: Wednesday, 3/9, 11:59pm Pacific Elizabeth Stinson The players CertificateAuthority: everyone trusts him He signs the pub keys of valid entities (Brokers, BrokerClients)
More informationSSL/TLS and Why the CA System is Broken
SSL/TLS and Why the CA System is Broken or: How China can read your email James Schwinabart james@schwinabart.com September 6, 2011 What is SSL/TLS? Secure Sockets Layer or Transport Layer Security A protocol
More informationCrypto meets Web Security: Certificates and SSL/TLS
CSE 484 / CSE M 584: Computer Security and Privacy Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationAPI Programming Guide vcenter Chargeback Manager 2.5.0
vcenter Chargeback Manager 2.5.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent
More informationProgramming Project #2
CS255: Introduction to Cryptography Winter 2010 Programming Project #2 Due: Wednesday, March 10th, 2010, 11:59 pm 1 Overview 1.1 Introduction For programming project 2, you will implement a man-in-the-middle
More informationMan in the Middle Attacks and Secured Communications
FEBRUARY 2018 Abstract This document will discuss the interplay between Man in The Middle (MiTM/ MITM) attacks and the security technologies that are deployed to prevent them. The discussion will follow
More informationCryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea
Cryptography SSL/TLS Network Security Workshop 3-5 October 2017 Port Moresby, Papua New Guinea 1 History Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent
More informationThe Savage Curtain: Mobile SSL Failures
The Savage Curtain: Mobile SSL Failures Who are these guys? Tony Trummer - Staff Security Engineer aka SecBro Tushar Dalvi - Sr. Security Engineer & Pool Hustler A Private Little War Our Click to edit
More informationPlug-In SDK Guide for vrealize Orchestrator
Plug-In SDK Guide for vrealize Orchestrator Development Guide T E C H N I C A L W H I T E P A P E R D E C E M B E R 2 0 1 6 V E R S I O N 1. 0 TECHNICAL WHITE PAPER /1 Table of Contents Overview... 3 Configuration
More informationNetworking and Security
Chapter 03 Networking and Security Mr. Nilesh Vishwasrao Patil Government Polytechnic Ahmednagar Socket Network socket is an endpoint of an interprocess communication flow across a computer network. Sockets
More informationProgramming Project #2
CS255: Cryptography and Computer Security Winter 2004 Programming Project #2 Due: Wednesday, March 10th, 2004, 11:59 pm 1 Overview 1.1 Introduction For programming project 2 you will implement a chat room
More informationUniform Resource Locators (URL)
The World Wide Web Web Web site consists of simply of pages of text and images A web pages are render by a web browser Retrieving a webpage online: Client open a web browser on the local machine The web
More informationCNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies
CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response
More informationProgramming Project #2
CS255: Introduction to Cryptography Winter 2005 Programming Project #2 Due: Wednesday, March 9th, 2005, 11:59 pm 1 Overview 1.1 Introduction For programming project 2 you will implement a stock trading
More informationSecure Communication in Client-Server Android Apps
Secure Communication in Client-Server Android Apps With a bias towards mobile banking applications. AFRICA HACKON CONFERENCE, 2016. Convergent Security. whoami Masters Candidate Ethical Hacker Web Developer
More informationMobile Security Fall 2013
Mobile Security 14-829 Fall 2013 Yuan Tian Class #25 Security Misuse in Mobile 2013 Patrick Tague Outline Misuse of SSL in mobile development Misuse of encryption in mobile development Some slides are
More informationMarkLogic Server. XCC Developer s Guide. MarkLogic 9 May, Copyright 2018 MarkLogic Corporation. All rights reserved.
XCC Developer s Guide 1 MarkLogic 9 May, 2017 Last Revised: 9.0-2, July, 2017 Copyright 2018 MarkLogic Corporation. All rights reserved. Table of Contents Table of Contents XCC Developer s Guide 1.0 Introduction
More informationSophos Mobile Control Network Access Control interface guide
Sophos Mobile Control Network Access Control interface guide Product version: 5.1 Document date: July 2015 Contents 1 About Sophos Mobile Control... 3 2 About Network Access Control integration... 4 3
More informationANDROID BASED WS SECURITY AND MVC BASED UI REPRESENTATION OF DATA
ANDROID BASED WS SECURITY AND MVC BASED UI REPRESENTATION OF DATA Jitendra Ingale, Parikshit mahalle SKNCOE pune,maharashtra,india Email: jits.ingale@gmail.com ABSTRACT: Google s Android is open source;
More informationPrincess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)
Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536) Prepared by Dr. Samia Chelloug E-mail: samia_chelloug@yahoo.fr Content
More informationThe client also provides utilities to disassemble signatures (e.g. extracting the signer certificates, digest algorithms used etc.
Krestfield EzSign Client Integration Guide Version 2.1 Copyright Krestfield 2017 Introduction The Krestfield EzSign Client is a lightweight java package which interfaces with the EzSign Server enabling
More informationSecurity & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of
Contents Security & Privacy Contents Web Architecture and Information Management [./] Spring 2009 INFO 190-02 (CCN 42509) Erik Wilde, UC Berkeley School of Information Abstract 1 Security Concepts Identification
More informationDesign and Implementation of a RFC3161-Enhanced Time-Stamping Service
Design and Implementation of a RFC3161-Enhanced Time-Stamping Service Chung-Huang Yang, 1 Chih-Ching Yeh, 2 and Fang-Dar Chu 3 1 Institute of Information and Computer Education, National Kaohsiung Normal
More informationSecuring Connections for IBM Traveler Apps. Bill Wimer STSM for IBM Collaboration Solutions December 13, 2016
Securing Connections for IBM Traveler Apps Bill Wimer (bwimer@us.ibm.com), STSM for IBM Collaboration Solutions December 13, 2016 IBM Technote Article #21989980 Securing Connections for IBM Traveler mobile
More informationInformation Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1
Information Security message M one-way hash fingerprint f = H(M) 4/19/2006 Information Security 1 Outline and Reading Digital signatures Definition RSA signature and verification One-way hash functions
More informationExperimental Analysis of Popular Anonymous, Ephemeral, and End-to-End Encrypted Apps
UEOP 2016 Experimental Analysis of Popular Anonymous, Ephemeral, and End-to-End Encrypted Apps Lucky Onwuzurike and Emiliano De Cristofaro University College London https://emilianodc.com Our Work
More informationSpark 源码编译遇到的问题解决 Spark 大数据博客 -
1 内存不够 [ERROR] PermGen space -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors,re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging.
More information32c3. December 28, Nick https://crypto.dance. goto fail;
32c3 December 28, 2015 Nick Sullivan @grittygrease nick@cloudflare.com https://crypto.dance goto fail; a compendium of transport security calamities Broken Key 2 Lock 3 Lock 4 5 6 HTTP HTTPS The S stands
More informationMan in the middle attack on TextSecure Signal. David Wind IT SeCX 2015
Man in the middle attack on TextSecure Signal David Wind IT SeCX 2015 $ whoami David Wind Information Security Master student @ University of Applied Science St. Pölten Working for XSEC infosec GmbH since
More informationSecurity: Focus of Control. Authentication
Security: Focus of Control Three approaches for protection against security threats a) Protection against invalid operations b) Protection against unauthorized invocations c) Protection against unauthorized
More informationSQream Connector JDBC SQream Technologies Version 2.9.3
SQream Connector JDBC 2.9.3 SQream Technologies 2019-03-27 Version 2.9.3 Table of Contents The SQream JDBC Connector - Overview...................................................... 1 1. API Reference............................................................................
More informationFIRE (3473) Dallas Los Angeles Sydney New York London
Traditional project life cycles lasting 12+ months are increasingly putting organizations at a disadvantage to more nimble startups that can innovate and change direction at a faster pace. New Agile development
More informationInternet of Things: Threats and counter measures with Java
Internet of Things: Threats and counter measures with Java Florian Tournier Director, IoT Product Management Oracle Patrick Van Haver Principal Engineer, Internet of Things Oracle Safe Harbor Statement
More informationSecurity protocols, properties, and their monitoring Andreas Bauer, Jan Jürjens
Security protocols, properties, and their monitoring Andreas Bauer, Jan Jürjens Computer Sciences Lab Computing Department The Open University, GB The Australian National University http://www.umlsec.org
More information1. a clear text string (this could represent a password for instance).
Salted hashes demystified A Primer This primer will provide a basic level explanation of how seeded (or salted) hashes of clear text data are structured / created. The original formalization of this concept
More informationSecuring Internet Communication: TLS
Securing Internet Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Today s Lecture Applying crypto technology in practice Two simple abstractions cover 80% of the use cases
More informationBut where'd that extra "s" come from, and what does it mean?
SSL/TLS While browsing Internet, some URLs start with "http://" while others start with "https://"? Perhaps the extra "s" when browsing websites that require giving over sensitive information, like paying
More informationPractical Issues with TLS Client Certificate Authentication
Practical Issues with TLS Client Certificate Authentication Arnis Parsovs February 26, 2014 1 / 10 Motivation 2 / 10 Motivation Problems with password authentication: 2 / 10 Motivation Problems with password
More informationImplementing Secure Socket Layer
This module describes how to implement SSL. The Secure Socket Layer (SSL) protocol and Transport Layer Security (TLS) are application-level protocols that provide for secure communication between a client
More informationSSL / TLS. Crypto in the Ugly Real World. Malvin Gattinger
SSL / TLS Crypto in the Ugly Real World Malvin Gattinger 2016-03-17 SSL/TLS Figure 1: The General Picture SSL or TLS Goal: Authentication and Encryption Secure Sockets Layer SSL 1 (never released), 2 (1995-2011)
More informationLecture 9a: Secure Sockets Layer (SSL) March, 2004
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu Security Achieved by
More informationInternet security and privacy
Internet security and privacy SSL/TLS 1 Application layer App. TCP/UDP IP L2 L1 2 Application layer App. SSL/TLS TCP/UDP IP L2 L1 3 History of SSL/TLS Originally, SSL Secure Socket Layer, was developed
More informationTesting and Configuration Guide for Cisco Platform Exchange Grid (pxgrid) 2.0. Author: John Eppich
Testing and Configuration Guide for Cisco Platform Exchange Grid (pxgrid) 2.0 Author: John Eppich Table of Contents About this Document... 4 Technical Overview... 5 Illustrating Cisco pxgrid Client Flow
More informationWHITE PAPER. Authentication and Encryption Design
WHITE PAPER Authentication and Encryption Design Table of Contents Introduction Applications and Services Account Creation Two-step Verification Authentication Passphrase Management Email Message Encryption
More informationSAP Web Dispatcher SSL Trust Configuration How to Configure SAP Web Dispatcher to Trust Backend System SSL Certificate
SAP Web Dispatcher SSL Trust Configuration How to Configure SAP Web Dispatcher to Trust Backend System SSL Certificate TABLE OF CONTENTS 1 PREREQUISITE... 3 2 SYMPTOM... 3 3 EXPLANATION... 4 4 SOLUTION...
More informationSecurity: Focus of Control
Security: Focus of Control Three approaches for protection against security threats a) Protection against invalid operations b) Protection against unauthorized invocations c) Protection against unauthorized
More informationWhy bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?
Jeroen van Beek 1 Why bother? Causes of data breaches OWASP Top ten attacks Now what? Do it yourself Questions? 2 In many cases the web application stores: Credit card details Personal information Passwords
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
More informationHashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5
Hashes, MACs & Passwords Tom Chothia Computer Security Lecture 5 Today s Lecture Hash functions: Generates a unique short code from a large file Uses of hashes MD5, SHA1, SHA2, SHA3 Message Authentication
More informationDepartment of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.858 Fall 2011 Quiz II You have 80 minutes to answer the questions in this quiz. In order to receive credit
More informationCore Security Services and Bootstrapping in the Cherubim Security System
Core Security Services and Bootstrapping in the Cherubim Security System Charles Willis cfwillis@uiuc.edu Technical Report 2 July 1998 University of Illinois at Urbana-Champaign Department of Computer
More informationSSL/TLS Vulnerability Detection Using Black Box Approach
Journal of Physics: Conference Series PAPER OPEN ACCESS SSL/TLS Vulnerability Detection Using Black Box Approach To cite this article: D Gunawan et al 2018 J. Phys.: Conf. Ser. 978 012121 View the article
More informationPublic-Key Infrastructure (PKI) Lab
SEED Labs PKI Lab 1 Public-Key Infrastructure (PKI) Lab Copyright 2018 Wenliang Du, Syracuse University. The development of this document was partially funded by the National Science Foundation under Award
More informationThe Android security jungle: pitfalls, threats and survival tips. Scott
The Android security jungle: pitfalls, threats and survival tips Scott Alexander-Bown @scottyab The Jungle Ecosystem Google s protection Threats Risks Survival Network Data protection (encryption) App/device
More informationChapter 4: Securing TCP connections
Managing and Securing Computer Networks Guy Leduc Chapter 5: Securing TCP connections Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross Addison-Wesley, March 2012. (section
More informationPretty Good Privacy (PGP
PGP - S/MIME - Internet Firewalls for Trusted System: Roles of Firewalls Firewall related terminology- Types of Firewalls - Firewall designs - SET for E-Commerce Transactions. Pretty Good Privacy (PGP
More informationOCSP Stapling. Let the web server protect the users! SWITCHpki Team Bern, SWITCH 1
Stapling Let the web server protect the users! SWITCHpki Team pki@switch.ch Bern, 29.03.2017 2017 SWITCH 1 Rejecting Revoked Certificates Web browsers should check whether a web server's SSL certificate
More informationConfiguring Secure Socket Layer HTTP
This feature provides Secure Socket Layer (SSL) version 3.0 support for the HTTP 1.1 server and HTTP 1.1 client within Cisco IOS software. SSL provides server authentication, encryption, and message integrity
More informationJAVA - DRI Connection Test Manual
JAVA - DRI Connection Test Manual This is a step by step guide on how to access the DRI Web service with native Java. 1. Install the NetBeans IDE Since the DRI Web service is developed in.net WCF, interoperability
More informationUnified Contact Center Enterprise (UCCE) Single Sign On (SSO) Certificates and Configuration
Unified Contact Center Enterprise (UCCE) Single Sign On (SSO) Certificates and Configuration Contents Introduction Requirements Components Used Part A. SSO Message Flow Part B. Certificates Used in IDP
More informationConfiguring Secure Socket Layer HTTP
This feature provides Secure Socket Layer (SSL) version 3.0 support for the HTTP 1.1 server and HTTP 1.1 client within Cisco IOS software. SSL provides server authentication, encryption, and message integrity
More informationHow to Configure SSL Interception in the Firewall
Most applications encrypt outgoing connections with SSL or TLS. SSL Interception decrypts SSL-encrypted HTTPS and SMTPS traffic to allow Application Control features (such as the Virus Scanner, ATP, URL
More informationAPI Knowledge Coding Guide Version 7.2
API Knowledge Coding Guide Version 7.2 You will be presented with documentation blocks extracted from API reference documentation (Javadocs and the like). For each block, you will be also presented with
More informationCombating Common Web App Authentication Threats
Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App
More informationPKI Cert Creation via Good Control: Reference Implementation
PKI Cert Creation via Good Control: Reference Implementation Legal Notice Copyright 2016 BlackBerry Limited. All rights reserved. All use is subject to license terms posted at http://us.blackberry.com/legal/legal.html.
More informationHigh -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018
HTB_WEBSECDOCS_v1.3.pdf Page 1 of 29 High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018 General Overview... 2 Meta-information... 4 HTTP Additional
More informationLegacy of Heartbleed: MITM and Revoked Certificates. Alexey Busygin NeoBIT
Legacy of Heartbleed: MITM and Revoked Certificates Alexey Busygin busygin@neobit.ru NeoBIT Notable Private Key Leaks 2010 DigiCert Sdn Bhd. issued certificates with 512-bit keys 2012 Trustwave issued
More informationQUICK SET-UP VERIFICATION...3
TABLE OF CONTENTS 1 QUICK SET-UP VERIFICATION...3 2 INSTALLING CERTIFICATES...3 3 IF YOU USE MS INTERNET EXPLORER...3 3.1 INSTALLING THE CERTIFICATE...3 3.2 SSL3 ACTIVATION:...3 3.3 JAVASCRIPT ACTIVATION...3
More informationManaging Certificates
CHAPTER 12 The Cisco Identity Services Engine (Cisco ISE) relies on public key infrastructure (PKI) to provide secure communication for the following: Client and server authentication for Transport Layer
More informationThe Transport Layer Security (TLS) Protocol
The (TLS) Protocol Lectures Notes for the Computer Security course Pedro Félix (pedrofelix at cc.isel.ipl.pt) José Simão (jsimao at cc.isel.ipl.pt) Instituto Superior de Engenharia de Lisboa Some history
More informationIBM i Version 7.2. Security Digital Certificate Manager IBM
IBM i Version 7.2 Security Digital Certificate Manager IBM IBM i Version 7.2 Security Digital Certificate Manager IBM Note Before using this information and the product it supports, read the information
More informationHttpClient Tutorial. Oleg Kalnichevski
HttpClient Tutorial Oleg Kalnichevski Preface... iv 1. HttpClient scope... iv 2. What HttpClient is NOT... iv 1. Fundamentals... 1 1.1. Request execution... 1 1.1.1. HTTP request... 1 1.1.2. HTTP response...
More informationPublic-key Infrastructure Options and choices
Public-key Infrastructure Options and choices Tim Moses Director, Advanced Security Technology April 98 1997 Entrust Technologies Overview General-purpose and Dedicated PKIs Trust models Two-key architecture
More informationSimSun "zh" = 0pt plus 1pt
SimSun "zh" = 0pt plus 1pt 0.1 2015-11-09 06:35:58 Contents 1 3 1.1...................................................... 3 1.2...................................................... 3 1.3......................................................
More informationWired Dot1x Version 1.05 Configuration Guide
Wired Dot1x Version 1.05 Configuration Guide Document ID: 64068 Introduction Prerequisites Requirements Components Used Conventions Microsoft Certificate Services Installation Install the Microsoft Certificate
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 11: Public Key Infrastructure Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Public key infrastructure Certificates Trust
More informationEncryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls
Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls Overview Cryptography functions Secret key (e.g., DES) Public key (e.g., RSA) Message
More informationMobile Development Lecture 9: Android & RESTFUL Services
Mobile Development Lecture 9: Android & RESTFUL Services Mahmoud El-Gayyar elgayyar@ci.suez.edu.eg Elgayyar.weebly.com What is a RESTFUL Web Service REST stands for REpresentational State Transfer. In
More informationSECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA
SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA CTO Office www.digi.me another Engineering Briefing digi.me keeping your data secure at all times ALL YOUR DATA IN ONE PLACE TO SHARE WITH PEOPLE WHO
More informationCS 61B Discussion 5: Inheritance II Fall 2014
CS 61B Discussion 5: Inheritance II Fall 2014 1 WeirdList Below is a partial solution to the WeirdList problem from homework 3 showing only the most important lines. Part A. Complete the implementation
More informationSecure Sockets Layer (SSL) / Transport Layer Security (TLS)
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) Brad Karp UCL Computer Science CS GZ03 / M030 20 th November 2017 What Problems Do SSL/TLS Solve? Two parties, client and server, not previously
More informationManaging SSL/TLS Traffic Flows
Some protocols, such as HTTPS, use Secure Sockets Layer (SSL) or its follow-on version, Transport Layer Security (TLS), to encrypt traffic for secure transmissions. Because encrypted traffic cannot be
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationEncryption, Certificates and SSL DAVID COCHRANE PRESENTATION TO BELFAST OWASP CHAPTER OCTOBER 2018
Encryption, Certificates and SSL DAVID COCHRANE PRESENTATION TO BELFAST OWASP CHAPTER OCTOBER 2018 Agenda Basic Theory: encryption and hashing Digital Certificates Tools for Digital Certificates Design
More informationWavecrest Certificate SHA-512
Wavecrest InstallationGuide Wavecrest Certificate SHA-512 www.wavecrest.net Copyright Copyright 1996-2018, Wavecrest Computing, Inc. All rights reserved. Use of this product and this manual is subject
More informationA look at the PGP keyserver data
A look at the PGP keyserver data Hanno Böck 1 / 23 The PGP Ecosystem Should we care? PGP problems Is PGP here to stay? Conclusion The PGP Ecosystem The OpenPGP standard (RFC 4880) Software packages (Original
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationHow to configure the UTM Web Application Firewall for Microsoft Remote Desktop Gateway connectivity
How to configure the UTM Web Application Firewall for Microsoft Remote Desktop Gateway connectivity This article explains how to configure your Sophos UTM to allow access Microsoft s Remote Desktop Gateway
More informationWhat Is Voice SEO and Why Should My Site Be Optimized For Voice Search?
What Is Voice SEO and Why Should My Site Be Optimized For Voice Search? Voice search is a speech recognition technology that allows users to search by saying terms aloud rather than typing them into a
More informationCS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL
CS 393 Network Security Nasir Memon Polytechnic University Module 12 SSL Course Logistics HW 4 due today. HW 5 will be posted later today. Due in a week. Group homework. DoD Scholarships? NSF Scholarships?
More informationCOSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS
COSC 301 Network Management Lecture 15: SSL/TLS and HTTPS Zhiyi Huang Computer Science, University of Otago COSC301 Lecture 15: SSL/TLS and HTTPS 1 Today s Focus WWW WWW How to secure web applications?
More information